The Digital Operational Resilience Act (Regulation (EU) 2022/2554), aims to address the increasing reliance on Information and Communication Technology (ICT) in the financial sector and its associated risks. The regulation will apply as of 17 January 2025 in the EU and is expected to be adopted in Norway where timeline is unclear. AIFMs and other affected financial entities should start their preparations.

Digitalization has deeply integrated ICT into financial services, making systems more vulnerable to cyber threats. Despite various international and national efforts to enhance digital resilience, ICT risk management remains inconsistent across the EU. The lack of harmonization creates regulatory gaps between member states and challenges for cross-border financial entities. DORA introduces a comprehensive EU-wide regulation to consolidate ICT risk management, ensuring a uniform approach that strengthens operational resilience, stability, and consumer protection in the financial sector. DORA will apply to financial entities, including authorised alternative investment fund managers (AIFMs), but excludes sub-threshold AIFMs as defined in Article 3(2) of Directive 2011/61/EU. Article 4 of DORA introduces a principle of proportionality, promoting a risk-based approach to implementing certain parts of the regulation. Permian recommends that AIFMs take the principle of proportionality into consideration when implementing all parts of DORA.

AIFMs and other affected financial entities in Sweden have just a few months left to ensure compliance with the regulation. Swedish AIFMs must comply with DORA requirements once the regulation applies in the EU.

The Norwegian Ministry of Finance has proposed to adopt DORA into Norwegian law however the exact timeline remains unclear.

Key substantial requirements

DORA introduces a comprehensive set of requirements for financial entities. The following key issues are central to the regulation.
 

ICT Risk Management

DORA chapter II, Articles 5 to 16 mandates that financial entities establish robust risk management tools, methods, processes, and policies. The chapter outlines several key requirements for financial entities, including but not limited to:

• Structuring their organization and internal governance effectively.
• Establishing an ICT risk management framework as a part of their overall risk management system.
• Utilizing and maintaining ICT systems, protocols, and tools.
• Identifying, classifying, and adequately documenting all ICT-supported business functions, roles, and responsibilities.
• Adequately protecting ICT systems and organizing response measures.
• Promptly detecting and responding to anomalous activities.
• Implementing a comprehensive ICT business continuity policy.
• Ensuring the restoration of ICT systems and data with minimal downtime, disruption, and loss.
• Gathering information on vulnerabilities, cyber threats, and ICT-related incidents, particularly cyber-attacks, and analysing their potential impact on digital operational resilience.
• Facilitating the responsible disclosure of major ICT-related incidents or vulnerabilities to clients, counterparts, and, where appropriate, the public.

ICT-related incident management and digital operational resilience testing

DORA chapter III, Article 17 to 23 and Chapter IV, Article 24 to 27 regulate issues such as ICT-related incident management and digital operational resilience testing. The chapters outline several key requirements for financial entities, including but not limited to:

• Financial entities shall establish processes to detect, manage, and notify ICT-related incidents.
• All ICT-related incidents and significant cyber threats must be recorded, and root causes must be identified and addressed.
• Financial entities must report major ICT-related incidents to relevant competent authorities using standard templates. Financial entities must also inform clients affected by major incidents and provide appropriate guidance for significant cyber threats.
• Financial entities must implement a comprehensive digital operational resilience testing program as part of their ICT risk management framework. This program helps assess preparedness for ICT-related incidents and identify weaknesses. Testing should be risk-based, considering the evolving ICT landscape.
• The digital operational resilience testing program shall provide, in accordance with the risk-based approach, for the execution of appropriate tests, such as vulnerability assessments and scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing.

Managing ICT Third-Party Risk

DORA chapter V, Articles 28 to 44 elaborates on the key principles for a sound management of ICT third-party risk and oversight framework of critical ICT third-party service providers. The chapter outlines several key requirements for financial entities, including but not limited to:

• Financial entities must adopt and regularly review an ICT third-party risk strategy, including a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.
• Maintain a detailed register of all contractual arrangements on the use of ICT services provided by ICT third-party service providers. Report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided. (In a consultation (Sw. remiss) published by the Swedish FSA 5 September 2024, the proposed date of first filing of the register of contractual arrangements is 28 February 2025. Since the template contractual arrangement register is not yet adopted by the EU Commission, it remains to be seen which date that will apply. Several respondents to the consultation have requested a delayed first reporting.)
• Before entering into contracts, financial entities must: assess if the contractual arrangement covers the use of ICT services supporting a critical or important function, ensure compliance with supervisory conditions, identify and assess all relevant risks and conflicts of interest in relation to the contractual arrangement, perform due diligence on third-party providers and assess if the ICT third-party service provider is suitable.
• Financial entities may only enter into contractual arrangements with providers that meet appropriate information security standards, especially for critical functions.
• Establish a risk-based approach for audits and inspections of third-party providers, ensuring auditors have the necessary skills.
• Contractual arrangements must include conditions for termination in case the ICT third-party service provider commits a significant breach of applicable laws or contractual terms, performance issues, or regulatory supervision challenges.
• Develop exit strategies for contractual arrangements on the use of ICT services supporting critical or important functions to avoid disruption during transitions.

Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS)

The regulation has been specified and clarified by several Draft Regulatory Technical Standards (RTS) and Draft Implementing Technical Standards (ITS) that have been released in different tranches by European Supervisory Authorities. These draft technical standards have yet to be adopted by the European Commission. 

The proportionality principle in Article 4 and relevance for AIFMs

Article 1 of DORA establishes that the regulation's requirements primarily target financial entities. A more detailed definition of "financial entities" is provided in Article 2, which also specifies which entities are exempt from its scope. This definition includes, among others, AIFMs. However, DORA Article 2(3) explicitly exempts sub-thresholds AIFMs (i.e. managers that are only registered and not authorised are exempt).

Article 4 introduces a principle of proportionality. Article 4(1) addresses the proportionate implementation of Chapter II. According to Article 4(1), the implementation of Chapter II by financial entities must adhere to the principle of proportionality, taking into account their size, overall risk profile, and the nature, scale, and complexity of their services, activities, and operations.

Similarly, Article 4(2) states that the application of Chapters III, IV, and (V, Section I), must also be proportionate to the financial entities' size, overall risk profile, and the nature, scale, and complexity of their services, activities, and operations, as specifically provided for in the relevant rules of those Chapters. While this provision is similar to Article 4(1), it differs by requiring that proportionality considerations align with the specific rules outlined in those Chapters.

Financial entities classified as 'Microenterprises,' as defined in Article 3, remain within the scope of DORA but are exempt from certain requirements outlined in the regulation. In brief, a microenterprise is a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million.

The way forward for AIFMs in a DORA-regulated world

To ensure compliance with the DORA, it is essential to start by providing high-level training to the board and key staff. We recommend that a designated individual is appointed to oversee the implementation of DORA. Relevant personnel, including those in legal, compliance, risk management, IT, and the board, must be actively involved in the process.

As a next step a gap analysis could be prepared to identify areas needing improvement. Based on the analysis, a detailed action plan could be developed.

Key governance measures must be put in place, including the establishment of an internal ICT risk governance structure and the updating of relevant policies as required by Chapter II. Additionally, an ICT-related incident management process should be implemented in accordance with Chapter III. Digital operational resilience testing, as outlined in Chapter IV, needs to be introduced, along with the management of ICT third-party risk, as specified in Chapter V.

The DORA implementation in the internal control system of the manager could either be done by updating policies that are already in place (e.g. outsourcing policy, risk policy) or to prepare a new set of DORA policies.

It is crucial to report progress back to the board before DORA comes into force 17 January 2025 since DORA assigns the overall responsibility for ICT resilience on the board. The board should also adopt the updated policies.

One of the first steps after the DORA application date is the filing of the AIFM’s register of ICT contractual arrangements. The deadline for the filing is yet to be decided upon by the Swedish FSA, but as mentioned above under the section Managing ICT Third-Party Risk, the proposed deadline is 28 February 2025.

After the implementation of DORA, we also expect compliance officer, risk manager, or internal audit team to be tasked conducting a control assessment of the implementation to verify that all DORA requirements have been met.

Contact

Anna Berntson Petas, Head of Legal and Compliance anna.berntson@permian.se

Erik Elkan, Risk Manager erik.elkan@permian.se

Samuel Hörberg Delac, Legal Counsel samuel.delac@permian.se